Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Evers, John E." <JEVERS@xxxxxxx>
Date: Tue, 27 Aug 2002 11:43:09 -0500
Martin, I am still having issues finding anything in the hex data payload field, I have tried the following to find "This" at offset C4 file data, highlighted in yellow. I really need to find values in the file data without knowing the offset in the file data field, but in some cases I also look for something I know the offset of. One other solution is to print out the data to a file and use some other program for the search, but try opening a 500MN with MS word pad or note pad. Filter and Find Frame ( I also enclosed the hex values in "" to see if that was the secret) smb [c4:c7] == 54:68:69:73 tcp [c4:c7] == 54:68:69:73 ip [c4:c7] == 54:68:69:73 data [c4:c7] == 54:68:69:73 Frame 12 (1514 on wire, 1514 captured) Arrival Time: Aug 26, 2002 16:21:09.215750000 Time delta from previous packet: 0.001852000 seconds Time relative to first packet: 0.476325000 seconds Frame Number: 12 Packet Length: 1514 bytes Capture Length: 1514 bytes Ethernet II Destination: 00:c0:4f:9b:a0:ba (TASKSERVER10) Source: 00:90:27:78:ad:ff (Intel_78:ad:ff) Type: IP (0x0800) Internet Protocol, Src Addr: dell6300_sql2.lab.ncs.winternet.com (192.168.100.114), Dst Addr: TASKSERVER10 (192.168.100.10) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1500 Identification: 0xd04c Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xdb01 (correct) Source: dell6300_sql2.lab.ncs.winternet.com (192.168.100.114) Destination: TASKSERVER10 (192.168.100.10) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1960 (1960), Seq: 177780446, Ack: 1629002547, Len: 1460 Source port: microsoft-ds (445) Destination port: 1960 (1960) Sequence number: 177780446 Next sequence number: 177781906 Acknowledgement number: 1629002547 Header length: 20 bytes Flags: 0x0010 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 16805 Checksum: 0xdb4c (correct) NetBIOS Session Service Message Type: Session message Length: 4156 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 11 SMB Command: Read AndX (0x2e) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xe807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..1. .... .... .... = Execute-only Reads: Permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Reserved: 000000000000000000000000 Tree ID: 2049 Process ID: 65279 User ID: 2049 Multiplex ID: 59267 Read AndX Response (0x2e) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 FID: 0xc02a Remaining: 65535 Data Compaction Mode: 0 Reserved: 0000 Data Length: 4096 Data Offset: 60 Reserved: 00000000000000000000 Byte Count (BCC): 4097 Padding: 01 File Data: Incomplete. Only 1396 of 4096 bytes 0000 00 c0 4f 9b a0 ba 00 90 27 78 ad ff 08 00 45 00 ..O.....'x....E. 0010 05 dc d0 4c 40 00 80 06 db 01 c0 a8 64 72 c0 a8 ...L@xxxxxxxxx.. 0020 64 0a 01 bd 07 a8 0a 98 b6 de 61 18 9b 33 50 10 d.........a..3P. 0030 41 a5 db 4c 00 00 00 00 10 3c ff 53 4d 42 2e 00 A..L.....<.SMB.. 0040 00 00 00 98 07 e8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 08 ff fe 01 08 83 e7 0c ff 00 00 00 ff ................ 0060 ff 00 00 00 00 00 10 3c 00 00 00 00 00 00 00 00 .......<........ 0070 00 00 00 01 10 01 4d 5a 90 00 03 00 00 00 04 00 ......MZ........ 0080 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 ..............@. 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 ..............!. 00c0 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d .L.!This program 00d0 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 cannot be run i 00e0 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 n DOS mode....$. 00f0 00 00 00 00 00 00 72 0e bb b5 36 6f d5 e6 36 6f ......r...6o..6o 0100 d5 e6 36 6f d5 e6 68 4d de e6 35 6f d5 e6 4d 73 ..6o..hM..5o..Ms 0110 d9 e6 3a 6f d5 e6 b5 73 db e6 18 6f d5 e6 59 70 ..:o...s...o..Yp 0120 df e6 bf 6f d5 e6 59 70 de e6 3c 6f d5 e6 36 6f ...o..Yp..<o..6o 0130 d5 e6 24 6f d5 e6 60 70 c6 e6 3a 6f d5 e6 36 6f ..$o..`p..:o..6o 0140 d4 e6 b8 6e d5 e6 54 70 c6 e6 23 6f d5 e6 30 4c ...n..Tp..#o..0L 0150 de e6 3f 6f d5 e6 30 4c df e6 2a 6e d5 e6 f1 69 ..?o..0L..*n...i 0160 d3 e6 37 6f d5 e6 52 69 63 68 36 6f d5 e6 00 00 ..7o..Rich6o.... 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 33 c3 ......PE..L...3. 0190 f7 3c 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 .<.............. 01a0 06 00 00 90 3f 00 00 b0 30 00 00 00 00 00 46 b0 ....?...0.....F. 01b0 3e 00 00 10 00 00 00 a0 3f 00 00 00 40 00 00 10 >.......?...@... 01c0 00 00 00 10 00 00 04 00 00 00 04 00 00 00 04 00 ................ 01d0 00 00 00 00 00 00 00 50 70 00 00 10 00 00 00 00 .......Pp....... 01e0 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 ................ 01f0 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 c0 42 00 04 01 00 00 00 00 ........B....... 0210 43 00 13 dc 2b 00 00 00 00 00 00 00 00 00 00 00 C...+........... 0220 00 00 00 00 00 00 00 e0 6e 00 14 21 01 00 00 00 ........n..!.... 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb ................ 0260 42 00 e8 09 00 00 00 00 00 00 00 00 00 00 00 00 B............... 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 ...............t 0280 65 78 74 00 00 00 82 82 3f 00 00 10 00 00 00 90 ext.....?....... 0290 3f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ?............... 02a0 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 20 .. ..`.rdata... 02b0 00 00 00 a0 3f 00 00 30 00 00 00 a0 3f 00 00 00 ....?..0....?... 02c0 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 ..........@..@.d 02d0 61 74 61 00 00 00 f0 e7 02 00 00 d0 3f 00 00 40 ata.........?..@ 02e0 02 00 00 d0 3f 00 00 00 00 00 00 00 00 00 00 00 ....?........... 02f0 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ad 32 ..@....idata...2 0300 00 00 00 c0 42 00 00 40 00 00 00 10 42 00 00 00 ....B..@....B... 0310 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 ..........@....r 0320 73 72 63 00 00 00 13 dc 2b 00 00 00 43 00 00 e0 src.....+...C... 0330 2b 00 00 50 42 00 00 00 00 00 00 00 00 00 00 00 +..PB........... 0340 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 6b ..@..@.reloc...k 0350 01 00 00 e0 6e 00 00 70 01 00 00 30 6e 00 00 00 ....n..p...0n... 0360 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 ..........@..B.. 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05e0 00 00 00 00 00 00 00 00 00 00 .......... Thanks John -----Original Message----- From: Visser, Martin (Sydney) [mailto:Martin.Visser@xxxxxx] Sent: Monday, August 26, 2002 6:21 PM To: ethereal-users@xxxxxxxxxxxx Cc: Evers, John E. Subject: RE: [Ethereal-users] Find Frame / Filtering You're right, there is something broken (at least in 0.9.3 on win32). However there is a workaround that may work for you. For the bug fixers the following two examples DO match packets correctly :- ipx[0:2] == "ff:ff" ipx[0:8] == "ff:ff:00:72:03:11:0a:8f" ipx[0] == "ff" && ipx [1] == "ff" But the following DON'T match ipx[0:] == "ff:ff" ipx[0:1] == "ff:ff" ipx[0:42] == "ff:ff" It seems that an open ended range or a range that doesn't exactly match the number of bytes in the match string doesn't work. -----Original Message----- From: Evers, John E. [mailto:JEVERS@xxxxxxx] Sent: Tuesday, 27 August 2002 7:44 AM To: ethereal-users@xxxxxxxxxxxx Subject: [Ethereal-users] Find Frame / Filtering Hi, I do a lot of tracing which requires searching / filtering on the data stream. I have tried the "Find Frame" and "Filtering" options with the following parameters. smb[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex data stream from the hex data of a trace. ip[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex data stream from the hex data of a trace. tcp[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex data stream from the hex data of a trace. data[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex data stream from the hex data of a trace. I've have also tried to search for hex streams that were not separated by the 00 hex characters as in the above example, same results. Applying as a Filter displays no results and Find Frame responds with a "No Packet Matched Filter" message. I am guessing Ethereal dose not support this, but as it is important to me I want to make sure before I abandon it for this application. Thanks for any feed back. John ************************************************************************ **** This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. ************************************************************************ **** _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users **************************************************************************** This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. ****************************************************************************
- Prev by Date: Re: [Ethereal-users] help
- Next by Date: Re: [Ethereal-users] Error making 0.9.6 on Solaris 2.6
- Previous by thread: RE: [Ethereal-users] Find Frame / Filtering
- Next by thread: RE: [Ethereal-users] Find Frame / Filtering
- Index(es):